Microsoft Defender falsely detects Win32/Hive.ZY in Google Chrome, Electron apps

Microsoft Defender falsely detects Win32/Hive.ZY in Google Chrome, Electron apps

Microsoft Defender falsely detects Win32/Hive.ZY in Google Chrome, Electron apps

Additional updates to the story are below, including the version of security intelligence updates required to fix Win32/Hive.ZY false positive.

A bad Microsoft Defender signature update mistakenly detects Google Chrome, Microsoft Edge, Discord, and other Electron apps as ‘Win32/Hive.ZY’ each time the apps are opened in Windows.

The issue started Sunday morning when Microsoft pushed out Defender signature update 1.373.1508.0 to include two new threat detections, including Behavior:Win32/Hive.ZY.

“This generic detection for suspicious behaviors is designed to catch potentially malicious files. If you downloaded a file or received it through email, ensure that it is from a reliable source before opening it,” reads the Microsoft detection page for Win32/Hive.ZY.

According to BornCity, the false positive is widespread, with users reporting on BleepingComputer, Twitter, and Reddit that the detections appear each time they open their browser or an Electron app.

Microsoft Defender falsely detecting Win32/Hive.ZY
Microsoft Defender falsely detecting Win32/Hive.ZY
Source: Twitter

Even though Microsoft Defender will continuously display these detections when apps are opened, it is important to note that this is a false positive, and your device is mistakenly being detected as infected.

Microsoft has since released two new Microsoft Defender security intelligence updates, the latest being 1.373.1518.0.

While this signature update does not display Win32/Hive.ZY detections in BleepingComputer’s tests, other users report that they continue to receive false positives.

To check for new security intelligence updates, Windows users can search for and open Windows Security from the Start Menu, click Virus & threat protection, and then click on Check for updates under Virus & threat protection updates.

Currently installed Microsoft Defender security intelligence versions
Currently installed Microsoft Defender security intelligence versions
Source: BleepingComputer

While it is usually not required, in this case, it may be helpful to reboot Windows after installing the new security intelligence update to see if it resolves the false positive.

As this issue is widespread and causing panic among Windows users worldwide, we will likely see a new update fixing the problem within a few hours, if not sooner.

At this time, there has been no formal confirmation of the issue from Microsoft.

Update 6:47 PM EST:

Microsoft has released Microsoft Defender security intelligence update version 1.373.1537.0, which from reports, appears to resolve the Win32/Hive.ZY false positive experienced by Windows users today.

You can follow the instructions at the end of this article to update to this version.

Update 9:25 PM EST:

Microsoft shared the following statement with BleepingComputer:

“We have released an update to address this issue and customers using automatic updates for Microsoft Defender do not need to take additional action.” – a Microsoft spokesperson.

In addition Microsoft shared that enterprise customers managing their updates should ensure they are using detection build 1.373.1537.0 or newer.

Leave a Reply